By Jake Edge
March 20, 2013
At first blush, PyCon doesn't seem
like quite the right venue for a talk on
Mozilla's Persona web
authentication and identity system. Persona is not Python-specific at all, but
given the number of web application and framework developers at the
conference, it starts to become clear why Mozilla's Dan Callahan was there.
Python
also gave him the ability to do a live demo of adding Persona support to a
Flask-based web site during the
well-attended talk.
Kill the password
In a nutshell, Persona is Mozilla's attempt to "kill the password",
Callahan said to applause. It is a simple, open system that is federated
and works cross-browser. Beyond that set of buzzwords, though, the idea
for Persona is that it "works everywhere for everyone".
![[Dan Callahan]](/images/2013/pycon-callahan-sm.jpg)
For an example of using Persona, Callahan visited ting.com—a mobile phone service site
from Tucows—that has a login page supporting Persona.
Clicking the
"Sign in with Persona" button popped up a window with two of his email
addresses and
a sign-in button. Since he had already used the site before, to log in he
just needed
to choose one of his email addresses (if he is using a different address
from the last
time he visited the site) and click "Sign in". It's "dead simple", he said.
Persona ties identities to email addresses. That has several advantages,
he said. Everyone already has an email address and sites often already
track them. For many web sites, adding Persona support requires no change
to the database schema. That also helps prevent lock-in, as sites that decide
not to continue with Persona are not stuck with it.
Some in the audience might be saying "I can already log in with two
clicks" using a password manager, Callahan said. That's true, but Persona
is not managing passwords. There is no shared secret between the site and
the user.
That means a database breach at the site would not disclose
any information that would be useful for an attacker to authenticate to the
service as the user. While site owners will need to alert their users to a
breach, they won't have to ask them to change passwords. Better still,
they won't have to recommend that the users change their identical passwords at
other sites.
If there are no shared secrets, many of the existing account registration
questions can simply be skipped. The Persona sign-in process provides an
email address, so there
is no reason to prompt for that (twice in many cases), nor for a password
(twice almost always). For example, with sloblog.io and an existing Persona, he can
set up a blog with two clicks.
To prove a point, he was doing his demos from the Opera web browser.
Persona works the same in all major browsers (Firefox, Chrome, Safari,
IE). It uses existing technology and standards and "works everywhere the
web works", he said.
The story behind Persona comes right out of the Mozilla Manifesto,
Callahan said. That manifesto was "written at the height of the browser
wars" and lists ten points that are "crucial to the open web". Principle #2,
"The Internet is a global public resource that must remain open and
accessible", is particularly threatened today, while principle #5,
"Individuals must have the ability to shape their own experiences on
the Internet" speaks directly to the Persona ideal. Nothing is more
important to shape one's internet experience than is the choice of
identity, he said.
"Single" sign-on
There has been a movement toward single sign-on (SSO) in recent years, but
"single" is a misnomer at this point. Many sites allow people to sign in
with their Facebook or Twitter (or Google or Yahoo or MSN or ...) account.
His slide had an example login with a bunch of login icons for those
services, ending with a "Good luck with OpenID" button.
The problem with that approach is that it is like Tribbles (with a requisite
Kirk and Tribbles slide); there are more and more of these service-based
login mechanisms appearing. How does a site pick the right one (or, more
likely, ones)? How does a user remember which of the choices they
used so they can use it on a subsequent visit?
He gave another example: the 500px
login screen. It splits the screen in half, into two sets of choices,
either logging in
via a social network (Facebook, Twitter, or Klout) on one side, or with a
username and password on the other. If a user wants to use a Google or
Microsoft login, they are out of luck. They must create a username and
trust that 500px will do the right thing with their password. He was also
amused to note that he hadn't heard of Klout, so he visited to see what it
was and Klout wanted him to log in using either Facebook or Twitter.
There are also some implications of using the login network of certain
services. Google and Facebook have real-name policies that can sometimes
lead to account suspension when a violation is suspected. That suspension
then trickles out to any other services that use those login mechanisms.
Facebook policies disallow multiple accounts (e.g. personal and business)
as well. Basically, services using Facebook logins are outsourcing their
account policies to Facebook.
It is worth a lot of money for the social networks to get their buttons
onto sites, Callahan
said. So "any solution has to come from someone outside who is not trying
to make a buck off every login". Since Mozilla is on the outside, it is
well positioned to help solve the problem.
The earlier Persona demonstrations were for email addresses that had
already been set up, but Callahan also wanted to show what happens for
users who are not yet signed up. In that case, the user must type in an
email address in the Persona pop-up. Persona checks with the email
provider to see if it supports Persona, if so the email provider authenticates
the user via its normal mechanisms (e.g. web-based login) that the user has seen
plenty of times
before. If the user successfully authenticates, the email provider indicates
that to the site.
Using Persona team members as props, Callahan showed the process. The
user claims a particular email address and the site contacts the email
provider for verification. The email provider asks the user to authenticate
(using a password, two-factor authentication, facial recognition, ...) and
if that is successful, the provider signs the email address and hands it
back to the
site (along with some anti-replay-attack data). The site then verifies the
signature, at which point it knows that the user has that email identity.
Implementing Persona
As can be seen, the description of the protocol and cryptography used was
rather high-level. Callahan's clear intent was to try to convince web
application and framework programmers to get on board with Persona. There
is more information about the underlying details at developer.mozilla.org/persona,
he said.
For the moment, few email providers support Persona, so as an "optional
temporary" measure, sites can ask Mozilla to vouch for the email address.
For example, Gmail does not support Persona (yet), but Mozilla can vouch
for Gmail users by way of a challenge email. Authenticating the email
address to Mozilla need only be done once. But that puts Mozilla in the
middle of each initial authentication right now; eventually the user's email providers will be serving that role.
The documentation lists four things that a site owner needs to do to use
Persona. There is a JavaScript library to include in the login
page, the login/logout buttons need "onClick" attributes added, and the
library needs to be configured. The final piece of the puzzle is to add
verification of the identity assertions (signed email addresses from the
email provider or Mozilla). That verification needs to be done in the
server-side code.
In the future, the hope is that browsers will natively support Persona, but
for now the JavaScript is needed. On the client side, it is 30 or so lines
of JavaScript called from the login and logout paths. The server side is a
little
more complicated, as assertions are cryptographically signed, but that
verification can be handed off to a service that Mozilla runs. The back
end just posts some JSON to the Mozilla service and reads its response.
Those changes take less than 40 lines to implement.
Using the code directly from his slides, Callahan changed both client and
server sides of a demo application. That added the "great user experience"
of Persona logins. It also showed an "amazing developer experience" in how
easy it is to add Persona. Once the demo was done, and the applause died
down, Callahan said "I am so glad that worked" with a relieved grin.
Callahan had three tips for site developers adding Persona support. The
first was to make a library specific to the framework being used that can
be reused in multiple applications. Second, his example used the Mozilla
verifier,
but that is not a good long-term solution for privacy reasons. But, he
cautioned, make sure to use the Python "requests" library when doing
verification as the standard library does not check SSL certificates
properly. Lastly, he wanted to make it clear that using Persona did not
mean that a site had to get rid of the other login buttons, "just that
maybe you should", he said. Persona can peacefully coexist with these
other login mechanisms.
In conclusion, Callahan said he had a request: "spend one hour with Persona
this week". You could add it to your site in an hour, he said, but if not,
just try it out on some site.
Persona is still in beta, so it is "able to
be shaped by your feedback". Also, he requested, please ask one site that
you use to
support Persona, "that's how we are going to change the future of the
web". Persona will allow everyone—not just the few who understand
OpenID or password managers—to have a safer, more secure web.
[ In keeping with Callahan's request, we will be looking into Persona
support for LWN. ]
Comments (36 posted)
Brief items
Nationalism is rife on the Internet, and it's getting worse. We need to
damp down the rhetoric and-more importantly-stop believing the propaganda
from those who profit from this Internet nationalism. Those who are beating
the drums of cyberwar don't have the best interests of society, or the
Internet, at heart.
--
Bruce
Schneier
Comments (3 posted)
New vulnerabilities
apt: altered package installation
| Package(s): | apt |
CVE #(s): | CVE-2013-1051
|
| Created: | March 15, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the Ubuntu advisory:
Ansgar Burchardt discovered that APT incorrectly handled repositories that
use InRelease files. The default Ubuntu repositories do not use InRelease
files, so this issue only affected third-party repositories. If a remote
attacker were able to perform a man-in-the-middle attack, this flaw could
potentially be used to install altered packages. |
| Alerts: |
|
Comments (none posted)
bugzilla: cross-site scripting
| Package(s): | bugzilla |
CVE #(s): | CVE-2013-0785
CVE-2013-0786
|
| Created: | March 18, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the Bugzilla advisory:
* When viewing a bug report, a bug ID containing random code is not
correctly sanitized in the HTML page if the specified page format
is invalid. This can lead to XSS.
* When running a query in debug mode, it is possible to determine if
a given confidential field value (such as a product name) exists.
Bugzilla 4.1 and newer are not affected by this issue. |
| Alerts: |
|
Comments (none posted)
chromium: multiple vulnerabilities
| Package(s): | chromium |
CVE #(s): | CVE-2013-0879
CVE-2013-0880
CVE-2013-0881
CVE-2013-0882
CVE-2013-0883
CVE-2013-0884
CVE-2013-0885
CVE-2013-0886
CVE-2013-0887
CVE-2013-0888
CVE-2013-0889
CVE-2013-0890
CVE-2013-0891
CVE-2013-0892
CVE-2013-0893
CVE-2013-0894
CVE-2013-0895
CVE-2013-0896
CVE-2013-0897
CVE-2013-0898
CVE-2013-0899
CVE-2013-0900
|
| Created: | March 14, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the openSUSE advisory:
Chromium was updated to version 27.0.1425 having both stability and security fixes:
- High CVE-2013-0879: Memory corruption with web audio
node
- High CVE-2013-0880: Use-after-free in database
handling
- Medium CVE-2013-0881: Bad read in Matroska handling
- High CVE-2013-0882: Bad memory access with excessive
SVG parameters.
- Medium CVE-2013-0883: Bad read in Skia.
- Low CVE-2013-0884: Inappropriate load of NaCl.
- Medium CVE-2013-0885: Too many API permissions
granted to web store
- Medium CVE-2013-0886: Incorrect NaCl signal handling.
- Low CVE-2013-0887: Developer tools process has too
many permissions and places too much trust in the
connected server
- Medium CVE-2013-0888: Out-of-bounds read in Skia
- Low CVE-2013-0889: Tighten user gesture check for
dangerous file downloads.
- High CVE-2013-0890: Memory safety issues across the
IPC layer.
- High CVE-2013-0891: Integer overflow in blob handling.
- Medium CVE-2013-0892: Lower severity issues across
the IPC layer
- Medium CVE-2013-0893: Race condition in media
handling.
- High CVE-2013-0894: Buffer overflow in vorbis
decoding.
- High CVE-2013-0895: Incorrect path handling in file
copying.
- High CVE-2013-0896: Memory management issues in
plug-in message handling
- Low CVE-2013-0897: Off-by-one read in PDF
- High CVE-2013-0898: Use-after-free in URL handling
- Low CVE-2013-0899: Integer overflow in Opus handling
- Medium CVE-2013-0900: Race condition in ICU
|
| Alerts: |
|
Comments (none posted)
clamav: unspecified vulnerabilities
| Package(s): | clamav |
CVE #(s): | |
| Created: | March 20, 2013 |
Updated: | March 28, 2013 |
| Description: |
From the Mandriva advisory:
ClamAV 0.97.7 addresses several reported potential security
bugs. Thanks to
Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for finding and reporting these issues. |
| Alerts: |
|
Comments (none posted)
firebird: multiple vulnerabilities
| Package(s): | firebird |
CVE #(s): | CVE-2013-2492
CVE-2012-5529
|
| Created: | March 18, 2013 |
Updated: | April 3, 2013 |
| Description: |
From the CVE entries:
Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute arbitrary code via a crafted packet to TCP port 3050, related to a missing size check during extraction of a group number from CNCT information. (CVE-2013-2492)
TraceManager in Firebird 2.5.0 and 2.5.1, when trace is enabled, allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by preparing an empty dynamic SQL query. (CVE-2012-5529) |
| Alerts: |
|
Comments (none posted)
glance: information disclosure
| Package(s): | glance |
CVE #(s): | CVE-2013-1840
|
| Created: | March 15, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the Ubuntu advisory:
Stuart McLaren discovered an issue with Glance v1 API requests. An
authenticated attacker could exploit this to expose the Glance operator's
Swift and/or S3 credentials via the response headers when requesting a
cached image. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2013-0913
CVE-2013-0914
|
| Created: | March 18, 2013 |
Updated: | March 22, 2013 |
| Description: |
From the Red Hat bugzilla [1, 2]:
[1] Linux kernel built with Direct Rendering Manager(DRM) i915 driver for the
the Direct Rendering Infrastructure(DRI) introduced by XFree86 4.0, is
vulnerable to a heap overflow flaw.
An user/program with access to the DRM driver could use this flaw to crash
the kernel, resulting in DoS or possibly escalate privileges.
[2] Linux kernel is vulnerable to an information leakage flaw. This occurs when a process calls routine - sigaction() - to access - sa_restorer - parameter. This parameter points to an address that belongs to its parent process' address space.
A user could use this flaw to infer address layout of a process.
|
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2013-1860
|
| Created: | March 20, 2013 |
Updated: | March 22, 2013 |
| Description: |
From the Red Hat bugzilla:
Linux kernel built with USB CDC WDM driver is vulnerable to heap buffer overflow flaw.
An unprivileged local user could use this flaw to crash the kernel or, potentially, elevate their privileges.
Please note that a physical access to the system or plugging in random USB device is needed in order to exploit this bug. |
| Alerts: |
|
Comments (none posted)
krb5: denial of service
| Package(s): | krb5 |
CVE #(s): | CVE-2012-1016
|
| Created: | March 18, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the CVE entry:
The pkinit_server_return_padata function in plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find an agility KDF identifier in inappropriate circumstances, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted Draft 9 request. |
| Alerts: |
|
Comments (none posted)
libvirt-bin: unintended write access
| Package(s): | libvirt-bin |
CVE #(s): | CVE-2013-1766
|
| Created: | March 18, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the Debian advisory:
Bastian Blank discovered that libvirtd, a daemon for management of virtual
machines, network and storage, would change ownership of devices files so they
would be owned by user `libvirt-qemu` and group `kvm`, which is a general
purpose group not specific to libvirt, allowing unintended write access to
those devices and files for the kvm group members. |
| Alerts: |
|
Comments (none posted)
lighttpd: symlink attack
| Package(s): | lighttpd |
CVE #(s): | CVE-2013-1427
|
| Created: | March 18, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the Debian advisory:
Stefan Bühler discovered that the Debian specific configuration file for
lighttpd webserver FastCGI PHP support used a fixed socket name in the
world-writable /tmp directory. A symlink attack or a race condition could be
exploited by a malicious user on the same machine to take over the PHP control
socket and for example force the webserver to use a different PHP version. |
| Alerts: |
|
Comments (none posted)
pam-xdg-support: privilege escalation
| Package(s): | pam-xdg-support |
CVE #(s): | CVE-2013-1052
|
| Created: | March 18, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the Ubuntu advisory:
Zbigniew Tenerowicz and Sebastian Krzyszkowiak discovered that
pam-xdg-support incorrectly handled the PATH environment variable. A local
attacker could use this issue in combination with sudo to possibly escalate
privileges. |
| Alerts: |
|
Comments (none posted)
poppler: multiple vulnerabilities
| Package(s): | poppler |
CVE #(s): | CVE-2013-1788
CVE-2013-1790
|
| Created: | March 14, 2013 |
Updated: | April 2, 2013 |
| Description: |
From the Red Hat bugzilla:
CVE-2013-1788: A number of invalid memory access flaws were reported in poppler (fixed in version 0.22.1):
- Fix invalid memory access in 1150.pdf.asan.8.69 [1].
- Fix invalid memory access in 2030.pdf.asan.69.463 [2].
- Fix another invalid memory access in 1091.pdf.asan.72.42 [3].
- Fix invalid memory accesses in 1091.pdf.asan.72.42 [4].
- Fix invalid memory accesses in 1036.pdf.asan.23.17 [5].
CVE-2013-1790: An uninitialized memory read flaw was reported in poppler (fixed in version 0.22.1):
Initialize refLine totally
Fixes uninitialized memory read in 1004.pdf.asan.7.3 |
| Alerts: |
|
Comments (none posted)
sssd: privilege violation
| Package(s): | sssd |
CVE #(s): | CVE-2013-0287
|
| Created: | March 20, 2013 |
Updated: | April 1, 2013 |
| Description: |
From the Red Hat advisory:
When SSSD was configured as a Microsoft Active Directory client by using
the new Active Directory provider (introduced in RHSA-2013:0508), the
Simple Access Provider ("access_provider = simple" in
"/etc/sssd/sssd.conf") did not handle access control correctly. If any
groups were specified with the "simple_deny_groups" option (in sssd.conf),
all users were permitted access. |
| Alerts: |
|
Comments (none posted)
stunnel: code execution
| Package(s): | stunnel |
CVE #(s): | CVE-2013-1762
|
| Created: | March 18, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the Mageia advisory:
stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM
authentication are enabled, does not correctly perform integer conversion,
which allows remote proxy servers to execute arbitrary code via a
crafted request that triggers a buffer overflow. |
| Alerts: |
|
Comments (none posted)
telepathy-gabble: denial of service
| Package(s): | telepathy-gabble |
CVE #(s): | CVE-2013-1769
|
| Created: | March 14, 2013 |
Updated: | March 22, 2013 |
| Description: |
From the Red Hat bugzilla:
So we have a remotely-triggered DoS: send Gabble a <presence> with a caps hash;
include a form with an anonymous fixed field in the reply; boom. Since anyone
can send presence to anyone else, and Gabble always looks up any caps it sees
in any presences it receives. (Note that this is a presence leak, too; another
bug, I think.) |
| Alerts: |
|
Comments (none posted)
typo3-src: multiple vulnerabilities
| Package(s): | typo3-src |
CVE #(s): | CVE-2013-1842
CVE-2013-1843
|
| Created: | March 18, 2013 |
Updated: | March 21, 2013 |
| Description: |
From the Debian advisory:
CVE-2013-1842:
Helmut Hummel and Markus Opahle discovered that the Extbase database layer was not correctly sanitizing user input when using the Query object model. This can lead to SQL injection by a malicious user inputing crafted
relation values.
CVE-2013-1843:
Missing user input validation in the access tracking mechanism could lead
to arbitrary URL redirection.
See the upstream advisory for additional information. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2013-2478
CVE-2013-2480
CVE-2013-2481
CVE-2013-2483
CVE-2013-2484
CVE-2013-2488
|
| Created: | March 15, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the Mageia advisory:
- The sFlow dissector could go into an infinite loop (CVE-2012-6054).
- The SCTP dissector could go into an infinite loop (CVE-2012-6056).
- The MS-MMS dissector could crash (CVE-2013-2478).
- The RTPS and RTPS2 dissectors could crash (CVE-2013-2480).
- The Mount dissector could crash (CVE-2013-2481).
- The AMPQ dissector could go into an infinite loop (CVE-2013-2482).
- The ACN dissector could attempt to divide by zero (CVE-2013-2483).
- The CIMD dissector could crash (CVE-2013-2484).
- The FCSP dissector could go into an infinite loop (CVE-2013-2485).
- The DTLS dissector could crash (CVE-2013-2488).
|
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2013-2475
CVE-2013-2476
CVE-2013-2477
CVE-2013-2479
CVE-2013-2482
CVE-2013-2485
CVE-2013-2486
CVE-2013-2487
|
| Created: | March 20, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the CVE entries:
The TCP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet. (CVE-2013-2475)
The dissect_hartip function in epan/dissectors/packet-hartip.c in the HART/IP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a packet with a header that is too short. (CVE-2013-2476)
The CSN.1 dissector in Wireshark 1.8.x before 1.8.6 does not properly manage function pointers, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. (CVE-2013-2477)
The dissect_mpls_echo_tlv_dd_map function in epan/dissectors/packet-mpls-echo.c in the MPLS Echo dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via invalid Sub-tlv data. (CVE-2013-2479)
The AMPQ dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. (CVE-2013-2482)
The FCSP dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. (CVE-2013-2485)
The dissect_diagnosticrequest function in epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet. (CVE-2013-2486)
epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet, related to the (1) dissect_icecandidates, (2) dissect_kinddata, (3) dissect_nodeid_list, (4) dissect_storeans, (5) dissect_storereq, (6) dissect_storeddataspecifier, (7) dissect_fetchreq, (8) dissect_findans, (9) dissect_diagnosticinfo, (10) dissect_diagnosticresponse, (11) dissect_reload_messagecontents, and (12) dissect_reload_message functions, a different vulnerability than CVE-2013-2486. (CVE-2013-2487)
|
| Alerts: |
|
Comments (none posted)
zoneminder: multiple vulnerabilities
| Package(s): | zoneminder |
CVE #(s): | CVE-2013-0232
CVE-2013-0332
|
| Created: | March 15, 2013 |
Updated: | April 3, 2013 |
| Description: |
From the Debian advisory:
Multiple vulnerabilities were discovered in zoneminder, a Linux video
camera security and surveillance solution. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2013-0232:
Brendan Coles discovered that zoneminder is prone to an arbitrary
command execution vulnerability. Remote (authenticated) attackers
could execute arbitrary commands as the web server user.
CVE-2013-0332:
zoneminder is prone to a local file inclusion vulnerability. Remote
attackers could examine files on the system running zoneminder. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
